Project: LPS-1 — Literary Publishing Standard Maintainer: XXXIII Working Group (FTH Trading) Scope: Smart contracts, site infrastructure, build pipeline

If you discover a security vulnerability in the LPS-1 protocol, smart contracts, or site infrastructure, please report it responsibly:

Email: kevan.burns@fthtrading.com Subject line: [SECURITY] LPS-1 — <brief description>

Please include:

• Description of the vulnerability
• Steps to reproduce
• Affected component (contract, site, pipeline)
• Potential impact assessment

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 days.

Do not open a public GitHub issue for security vulnerabilities.

The following components are in scope for security reports:

• Threat Model: security/threat-model.md — Full threat analysis with categorised risks and mitigations
• Key Management: security/private-key-operational-guidelines.md — Operational security for signing keys

All seven smart contracts are non-upgradeable by design:

• No proxy pattern
• No admin key
• No governance override
• No selfdestruct or delegatecall
• Forward-only edition lifecycle (Draft → Anchored → Frozen)

State transitions are enforced on-chain. Once an edition is frozen, it cannot be modified or deleted by any party, including the contract deployer.

A third-party security audit of all seven deployed contracts is planned and budgeted as part of the Phase II roadmap. The audit report will be published in this repository upon completion.